gnupg12, gnupg users, please reply.

David Evans devans at
Tue Jul 8 13:40:29 PDT 2014

On 7/7/14 1:30 PM, Mihai Moldovan wrote:
> * On 07.07.2014 04:09 pm, David Evans wrote:
>> The two ports that I am most interested in are GNOME gcr and gpgme (a
>> dependency of seahorse).
>> gcr will build with either gnupg or gnupg2 but it checks gnupg first
>> so if both are installed it will select gnupg.  A simple patch will
>> fix this.
>> gpgme is currently at version 1.4.2 which only uses gnupg but is
>> outdated but 1.4.3+ can use gnupg2 and prefers it over gnupg.
> Both systems are non-deterministic. Trace mode enforces determinism in this
> case, but it's still a good idea to force the GPG version explicitly (even more
> so, as trace mode is not the default.)
> As the maintainer, what do you prefer? There are three options:
>   - stick with gnupg
>   - switch to gnupg2
>   - select gnupg or gnupg2 via variants (can be coupled with some glue TCL code
> to set default variant to either prefer gnupg or gnupg2 if both are installed,
> the currently installed port if only one is installed, automatically select
> gnupg or gnupg2 based on your preference if none is installed or having the user
> override any automatic detection by explicitly selecting a variant)
My preference is to try and be guided by the spirit of the upstream
developers and how they
configure their project.

So, I vote to leave gcr depending on gnupg for now, since it doesn't use
the extra capabilities of gnupg2, the configure file only falls back to
gnupg2 if gnupg is not installed and there is no configure option to
specify which one you want.  Depending on gnupg, therefore, is the only
way to ensure deterministic configuration in the case where both
versions of gnupg are installed (without a patch).

In the case of gpgme 1.5.0, it works the other way round.  The package
only falls back to gnupg if gnupg2 is not detected and again there is
no way to specify which one you want.  So depending on gnupg2 is the
only way in this case to ensure you have a deterministic build.  By the
way, this package now does this version check logic at run time, not
configure time, so changing its behavior is more challenging.

I've gone ahead and updated gpgme to 1.5.0 using gnupg2 in r121819. 
I've kept gnupg2 as a lib dependency rather than a run dependency since
it's needed for confidence checks that are run as part of the build and
test phases.

I think that applying similar logic to the rest of the gnupg dependents
would yield a reasonable solution as to which version to use.  If the
package allows one to specify explicitly which version to use, I would
go with gnupg2.  Otherwise, I would use whichever version it favors and
will provide a deterministic configuration.


More information about the macports-dev mailing list